This morning, Ryerson University and Deloitte announced a new certification framework based on Privacy by Design principles. Privacy by Design is a set of principles that builds privacy into the design, operation and management of a given system, business process or design specification. It is based on 7 Foundational Principles developed by Dr Ann Cavoukian, Executive Director of Ryerson’s Privacy and Big Data Institute and the former Information and Privacy Commissioner of Ontario.
Under the Privacy by Design framework, Ryerson will be responsible for certifying organizations that meet the necessary privacy criteria. Organizations must first undergo an assessment by Deloitte, Ryerson’s exclusive assessment arm for the certification framework, against the 7 Foundational Principles.
Deloitte will assess the strength of an organization’s privacy practices relative to internationally recognized privacy principles including privacy regulation, industry self-regulatory practices and best practices. It has developed criteria to empirically validate specific offerings by using an assessment scorecard technique to quantify and measure compliance. Applications for certification will be sent to Ryerson. Ryerson will provide the application to Deloitte which will prepare a report with recommendations for use by Ryerson in deciding whether to issue a “Certification Shield”, a logo that organizations can use to promote their privacy practices.
According to Ryerson and Deloitte, the benefits of a Privacy by Design certification will give organizations the ability to:
- Ensure compliance by getting ahead of the legislative curve and minimizing compliance risk
- Reduce the likelihood of fines and penalties, including financial losses and/or liability associated with privacy breaches
- Build your brand by fostering greater consumer confidence and trust thereby gaining a sustainable competitive advantage
- Better manage post-breach incidents to regain consumer trust and confidence
- Maintain best practices by seeking independent testing of privacy and security controls rather than more self-reporting or testing
According to Dr Cavoukian in a speech this morning kicking off the program, organizations that use Privacy by Design principles should be “shouting about it from the rooftops”. In her view, it is based on a positive sum model, “a win win” for businesses and consumers.
Privacy by Design was developed by Dr Cavoukian in the 1990s. In 2010 the framework was adopted as an international standard by data and privacy commissioners from around the world. Since then it has been translated into 37 languages. It has been adopted in many jurisdictions in Europe and will, according to Dr Cavoukian, likely be included into forthcoming amendments to EU’s new data protection law. The principles have been operationalized by some of North America’s largest companies.
The Privacy By Design certification is not affiliated with the Information and Privacy Commissioner of Ontario and certification by Ryerson does not signify compliance with Ontario privacy laws.